Impact
A NULL pointer dereference in the batman‑adv module causes the kernel to crash when OGM packets are sent over an interface that has been disabled. The fault triggers a dereference of a now‑NULL mesh_iface pointer and results in a kernel panic, bringing the host down and terminating all services. This represents a high‑impact denial‑of‑service weakness (CWE‑476).
Affected Systems
The bug lives in the Linux kernel’s batman‑adv (B.A.T.M.A.N. advanced) network driver. Any Linux system that has a kernel build including batman‑adv and that allows OGM traffic on interfaces that can be disabled is potentially affected. All current kernel releases before the specific commit that fixed the issue contain the vulnerable code.
Risk and Exploitability
Based on the description, it is inferred that the attacker must have local or privileged access to configure batman‑adv and trigger OGM traffic on a disabled interface. This inference is not directly stated in the advisory. The EPSS score is not available and the vulnerability is not in the CISA KEV catalog, implying no publicly documented exploitation exists at this time. Although no CVSS score is published, the NULL dereference that leads to a kernel crash indicates high risk for availability.
OpenCVE Enrichment
Debian DLA